Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Session token reuse requires prior low-privilege authenticated access (PR:L) and non-trivial token acquisition steps (AC:H), with impact limited to partial confidentiality disclosure only.
Primary rating from Vendor (HCL).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity
AnalysisAI
HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session tokens valid indefinitely until explicit logout. An attacker who obtains a valid session token - through interception or unattended browser access - can reuse it to access the application and read data. CVSS rates this Low (3.1) reflecting high attack complexity and limited confidentiality impact; no public exploit exists and the vulnerability is not listed in CISA KEV.
Technical ContextAI
CWE-613 (Insufficient Session Expiration) describes a class of web application flaws where the server-side session store does not enforce a maximum idle timeout, keeping session tokens valid well beyond the user's active period. HCL iControl (CPE: cpe:2.3:a:hcl_software:icontrol:*:*:*:*:*:*:*:*) is a web-based IT management platform by HCL Software; its session lifecycle management does not invalidate tokens after inactivity, violating OWASP session management best practices. The vulnerability is network-reachable (AV:N) because the iControl interface is web-based, but exploiting it requires the attacker to first acquire a live, authenticated session credential (PR:L, AC:H), limiting the practical attack surface.
RemediationAI
Consult the HCL advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131511 for vendor-recommended remediation; no exact patched version number is confirmed from available input data. As interim compensating controls, administrators should configure the shortest operationally acceptable server-side session idle timeout (commonly 15-30 minutes), enforce explicit logout requirements through user policy and training, and ensure session tokens are invalidated server-side on logout rather than only client-side. Restricting access to the iControl web interface through network-layer controls such as VPN requirements or IP allowlisting reduces the pool of potential token-interception attackers. Note that aggressive session timeouts will increase re-authentication frequency, potentially impacting user workflows in long-running administrative sessions.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Expor
Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resul
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS fil
Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to r
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210239